Wednesday, April 18, 2012

This is nothing earth-shattering so I'll try to make it short and sweet. And I'll add the pertinent links later. If I feel like it.

A couple of weeks ago, the InfoSec Institute announced a privilege escalation problem with wicd in Backtrack 5 R2, which caused the BT people to go into Butthurt Mode and emit a Class 3 Shit Storm.

"Tut, tut," they proclaimed, "you can't escalate privileges on a system designed to be run as root and besides it's not our fucking code."

The InfoSec people said "Ooopsie!", the wicd wonks fixed it, and everyone went on with their lives.

Meanwhile, Hinky stumbles onto a really insecure network while he's hacking around on BT5 R2. Digging into the available BT tools, he finds netdiscover-0.3beta7, which is basically an arp-spoofing tool in the Information Gathering→Network Analysis→Identify Live Hosts "hive".

It worked great, except the built-in OID list was ancient and didn't identify over 90% of the hosts I found. So I search around for the code and found this, in which the author states:

I’ve written a patch for NetDiscover 0.3-beta7 (the last release) that eliminates libnet dependency.

Apparently he had some religious objection to linking the software with both libnet (old) and libpcap (well maintained), so he fixed it. He then gives a link to the package at backtrack.it, the Italian headquarters of Backtrack. So I figure hot damn this must be the place! He then gives a link to the package, and the link doesn't fucking work.

Just my luck.

But this is the Internet, so it has to be somewhere. I find "an equivalent package" here, also with the same notes about eliminating the dependencies on libnet.

Great. Well that settles that. And there's an OUI update script! Great stuff. I update the OUIs and compile the program and then...

I am disappoint. : (

It works, but it doesn't find the hosts that the stock BT5/R2 version finds. WTF is going on here?

So I run both programs through Wireshark to see the differences. And the difference is: the BT5 version sends the correct MAC address of my NIC and the "equivalent package"—same version number and beta level, mind you—sets my MAC to...

ca:fe:ca:fe:ca:fe

How about that? So I look into the code and sure enough, in the source file ifaces.c, under a comment titled...

/* Shitty globals */

... is an array of unsigned chars representing just that value. As an experiment, I change the array to my MAC address, recompile, and run it.

It works fine. It finds the same hosts that the standard, off the shelf, BT5 code—same version number and beta level—finds. And now it identifies the OIDs properly.

So... what is the difference in the code, besides the OID issue? Intrigued, I ran both executables through "strings" and discovered that the BT5 version is linked to libnet. Try it yourself:

#~strings /usr/local/sbin/netdiscover | grep libnet

No denying this is not the same code. The fine folks at Backtrack took "netdiscover-0.3beta7" and put the libnet stuff back in.

Like I said, this is not earth-shattering, but I have to take Backtrack's "not our code" position with a grain of salt from now on. I ended up hacking "netdiscover-0.3beta7" to put the real MAC into the "CAFE" array, but I wouldn't have had to do that if BT would release their code.